CVE-2022-38150
published 2022-08-11CVE-2022-38150: In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend…
PriorityP334high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.14%
62.6th percentile
In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | varnish | < varnish 7.1.1-1 (bookworm) | varnish 7.1.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| varnish-cache | varnish | >= 0 < 7.1.1-1 | 7.1.1-1 |
| varnish-cache | varnish | >= 0 < 7.1.1-1 | 7.1.1-1 |
| varnish-cache | varnish | >= 0 < 7.1.1-1 | 7.1.1-1 |
| varnish_cache_project | varnish_cache | — | — |
| varnish_cache_project | varnish_cache | — | — |
| varnish_cache_project | varnish_cache | — | — |
| varnish_cache_project | varnish_cache | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Varnish Cache 7.0.0/7.0.1/7.0.2/7.1.0 HTTP1 Backend denial of service (FEDORA-2022-1fa6d1ed2f / EUVD-2022-40747)
vuldb·2026-06-22·CVSS 7.5
CVE-2022-38150 [HIGH] Varnish Cache 7.0.0/7.0.1/7.0.2/7.1.0 HTTP1 Backend denial of service (FEDORA-2022-1fa6d1ed2f / EUVD-2022-40747)
A vulnerability described as problematic has been identified in Varnish Cache 7.0.0/7.0.1/7.0.2/7.1.0. This affects an unknown function of the component HTTP1 Backend Handler. The manipulation results in denial of service.
This vulnerability was named CVE-2022-38150. The attack needs to be approached within the local network. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
GHSA-jg6x-rh3w-6pp3: In Varnish Cache 7
ghsa_unreviewed·2022-08-12
CVE-2022-38150 [HIGH] CWE-400 GHSA-jg6x-rh3w-6pp3: In Varnish Cache 7
In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.
OSV
CVE-2022-38150: In Varnish Cache 7
osv·2022-08-11·CVSS 7.5
CVE-2022-38150 [HIGH] CVE-2022-38150: In Varnish Cache 7
In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.
Red Hat
varnish: denial of service via colon-starting reason phrase
vendor_redhat·2022-08-09·CVSS 7.5
CVE-2022-38150 [HIGH] CWE-20 varnish: denial of service via colon-starting reason phrase
varnish: denial of service via colon-starting reason phrase
In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.
A flaw was found in Varnish where a denial of service attack can be performed against Varnish Cache servers by specially formatting the reason phrase of the backend response status line. To execute an attack, the attacker needs the ability to influence the HTTP/1 responses that the Varnish Server receives from its configured backends, causing the Varnish Server to assert and automatically restart.
Mitigation: As mentioned in the upstream security advisor
Debian
CVE-2022-38150: varnish - In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Var...
vendor_debian·2022·CVSS 7.5
CVE-2022-38150 [HIGH] CVE-2022-38150: varnish - In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Var...
In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1.
Scope: local
bookworm: resolved (fixed in 7.1.1-1)
bullseye: resolved
forky: resolved (fixed in 7.1.1-1)
sid: resolved (fixed in 7.1.1-1)
trixie: resolved (fixed in 7.1.1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/https://varnish-cache.org/security/VSV00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M4KVVCIQVINQQ2D7ORNARSYALMJUMP3I/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TW3X4PEKC5C736SCKE2UG3Y7JWKMD2K6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2BUKFICLZBXESLQ3MXMIG3G52RZURFK/https://varnish-cache.org/security/VSV00009.html
2022-08-11
Published